331/68 Wednesday, September 10, 2025
A new report from Fortinet has revealed a cyberattack campaign involving MostereRAT (Mostere Remote Access Trojan), a malware specifically designed to stealthily infiltrate and maintain long-term control over Windows systems. What makes MostereRAT stand out is its use of an uncommon programming language, its ability to disable security software, and its use of legitimate remote-control tools to manage compromised machines. According to the report, MostereRAT can operate at the “TrustedInstaller” level, which is higher than administrator privileges, allowing it to freely modify files and security settings. It can also download and install legitimate remote-access software such as AnyDesk and TightVNC to control the victim’s machine without raising suspicion.
The attack begins with phishing emails disguised as routine business correspondence, tricking Windows users into clicking a malicious link that leads to a fake website. The site delivers a Word document containing an embedded archive file. Once opened, the document silently installs MostereRAT onto the system. One of the reasons it is so difficult to detect is that it is written in Easy Programming Language (EPL), which is rarely used, making it harder for security tools to analyze. Once installed, the malware immediately starts disabling antivirus and endpoint detection and response (EDR) tools from over 10 vendors, including Windows Defender, Kaspersky, McAfee, and Norton, using techniques borrowed from red teaming tools such as EDRSilencer.
Experts at Fortinet emphasized that the design of MostereRAT highlights its goal of maintaining long-term persistence to steal sensitive information and exploit system resources. James Maude, an executive at BeyondTrust, added that while MostereRAT employs sophisticated methods, its success still relies on exploiting over-privileged user accounts. The most effective defense, therefore, is to restrict local administrator privileges to minimize the attack surface and limit damage in case of infection. Organizations are also advised to block or monitor unauthorized remote-access tools, which attackers often use to maintain ongoing access to compromised systems, thereby reducing the risk of this type of attack.
Source https://www.darkreading.com/cyberattacks-data-breaches/mostererat-blocks-security-tools
